To use Kerberos authentication, you must create a Kerberos Service Account (also called a Kerberos principal) in Active Directory domain controller. You must specify this Kerberos Service Account when generating a Kerberos keytab file.

A Kerberos Service Account is a standard Active Directory user which belongs to the top-level parent domain. No special permissions are required for this user account.

Certificate Enrollment Gateway supports connections to an entire Domain Forest. Certificate Enrollment Gateway must point to the top-level domain of the forest to work across the entire forest.

You must create the same Kerberos account for all forests in cross-forest deployments.

To create a Kerberos Service Account

  1. Log in to the server hosting the Active Directory domain controller as a domain administrator or a user who is a member of the built-in Account Operators domain group.
  2. Open the Active Directory Users and Computers administrative tool (select Start > Windows Administrative Tools > Active Directory Users and Computers).
    The Active Directory Users and Computers dialog box appears.
  3. Right-click the folder where you want to create the new account and select New > User.
    A New Object – User dialog box appears.
  4. Using the First name, Last name, and Full name fields, enter a name for the new user account.
    At a minimum, you must enter a value into the Full name field. Entering values into the First name and Last name field will automatically fill the Full name field.
  5. In the User logon name field, enter a Windows logon name for the user account.
  6. (Optional.) In the User logon name (pre-Windows 2000) field, enter a logon name for the user account for pre-Windows 2000 computers.
  7. Click Next.
  8. In the Password field, enter a password for the user account.
  9. In the Confirm password field, enter the password again to confirm the password.
  10. Deselect User must change password at next logon.
  11. To avoid service interruptions because of an expired password, select Password never expires. If the password ever expires, you will need to reset the password, recreate the Kerberos keytab file, and then update the Certificate Enrollment Gateway configuration.
  12. Click Next.
  13. Record the user logon name of the account (such as kerberos@example.com). You will use this logon name later to create the Kerberos keytab file.
  14. Click Finish.
  15. Double-click the account you just created.
    A Properties dialog box appears for the account.
  16. Click the Account tab.
  17. Under Account options:

    • Select This account supports Kerberos AES 128 bit encryption.

    • Select This account supports Kerberos AES 256 bit encryption.

  18. Click OK.